Principal Product Security Engineer - Office of the CISO

Position Overview: We’re looking for a Principal Product Security Engineer to join our team and lead our product security to the next level and beyond. The ideal candidate for the strategic role is a senior, highly technical, passionate, team-oriented professional with a proven track record of excellence in technical product security engineering, leadership and execution. This role will be instrumental in shaping how security is integrated throughout the Obsidian SaaS product, hosting environments, and related services. 

The ideal person for this role must be mission and values-driven, must have an ownership mentality, and must put the well-being of our customers, our teammates, and our organization at the forefront of how they operate. This person must be able to operate and thrive in a dynamic, high-growth startup environment within an established Cybersecurity, GRC, and IT team and programs. This is a critical, high-impact role that will serve as a catalyst for growth for any seasoned cybersecurity professional.

The Principal Product Security Engineer reports to the Chief Information Security Officer and will be responsible for developing, implementing, optimizing, scaling, automating, and operating the Obsidian product security program. The Principal Product Security Engineer works closely with Engineering, Product, DevOps, GRC, and IT to support the company's product security needs. Candidates applying for this sensitive and high-impact role should be highly technical team leaders and operators with exceptional secure software engineering, automation, and application and infrastructure security experience, capable of implementing and operating application security, infrastructure protection, threat detection, and incident response capabilities and industry best practices across an organization with a cybersecurity mission and modern tech stack. This is a multi-faceted role within a fast-moving startup and will require the successful candidate to possess an ownership mentality, sound judgment, personal responsibility, and initiative.

Your Responsibilities Will Include

• Security Architecture and Technical Leadership
  • Provide technical leadership and guidance for the Security Team, mentor more junior security engineers.
  • Mentor engineers on secure design and coding practices, and influence cross-functional teams through technical thought leadership.
  • Ensure that the Product Security Program is properly defined and documented to include technical runbooks, standards, procedures, and continuity documentation.
  • Lead and drive scalable security design reviews for existing and new features and services.
  • Define and maintain secure and private-by-design development patterns, and architectural and operational best practices.
  • Lead security architecture reviews, threat modeling sessions, and secure coding workshops.
  • Help scale security knowledge across the organization through training and documentation.
  • Support escalations in customer and prospect security reviews and due diligence
• Secure SDLC & Code Review and Testing
  • Mature and integrate scalable security into the SDLC.
  • Provide deep technical reviews for high-risk areas in backend and frontend codebases and services
  • Ensure security testing is properly configured and deployed in code projects and CI/CD pipelines
  • Ensure that testing and review outputs are properly documented, prioritized, and worked through completion
  • Automate fuzzing, SAST/DAST, SBOM generation, and third-party dependency scanning.
  • Facilitate and evolve scalable threat modeling processes across SDLC.
  • Anticipate and address new attack surfaces as the product evolves.
• Cloud Security & Infrastructure Hardening
  • Partner with DevSecOps, DevOps, SRE, and Platform Engineering to improve the security of cloud environments, Kubernetes, data pipelines, CI/CD pipelines, and related resources.
  • Drive zero-trust principles in service-to-service communication and access controls.
  • Drive security maturity in critical Obsidian product resources such as secrets management systems, databases, and data pipelines.
  • Mature Infrastructure as Code (IaC) and related security tooling and practices.
  • Ensure that security tooling is properly configured and implemented to the maximum potential.
  • Monitor security tooling for security events. 
  • Ensure that the most important security metrics are collected and properly made visible via dashboards and reporting.
• Incident Response & Threat and Vulnerability Management
• • Act as a key technical lead in security incident response and after-action reviews. Prioritize, assess, and drive remediation of product and infrastructure vulnerabilities.
  • Create automation workflows for security incident detection and response across environments.
  • Support product penetration testing and corporate red teaming exercises.

What We’re Looking For

• A person who is excited about working at an industry-leading cybersecurity startup company with enterprise security needs.
• At least 10 years of Product Security experience in a cloud-native environment, with a preference towards experience in the cybersecurity industry
• Proficient in software engineering with emphasis on the Python programming language at a minimum
• Proficient in Terraform Infrastructure-as-Code 
• Proficient in securing Kubernetes 
• Proficient in securing AWS and GCP environments
• Proficient in securing the GitLab platform
• Proficient in security automation
• Proficient in security metrics collection and reporting
• Excellent understanding of multiple security domains such as application security, protection, detection, response, vulnerability management, or threat intelligence
• Be obsessive about security while doing everything possible to support the overall mission.
• Experience with modern IT systems such as Google Workspace, Microsoft 365, Slack, Notion, Jira, GitLab
• Experience working with multiple internal and external stakeholders during incident lifecycles
• Experience communicating across a company to encourage and educate on best practices, standards, and policies

What We Can Do For You

• Be part of a team-first, low-ego, mission-focused culture.
• Provide opportunities for professional development.
• Provide opportunities to make high-impact contributions to security.
• Influence the Obsidian product development.
• Annual conference attendance budget
• Competitive salary, equity, and health benefits
• Opportunity to publish research, share non-proprietary code, and present at conferences
• Reserve your seat on our rocket ship! We are funded by Greylock Partners, Google Ventures, Menlo Ventures, WingVC, Norwest Venture Partners, and are growing fast.

This role is a game-changer and is about securing our company and product as we provide cutting-edge capabilities to help organizations increase their security.